Marcos

As suggested, contact Palo Alto Networks to resolve the false positive. Since it is their products that trigger the FP, we cannot influence the detection.

I overlooked the information that it was found in an xpi file. It's unlikely to be a false positive, however, @portman please submit the xpi file to ESET for further analysis to confirm the detection. For instructions, read https://support.eset.com/kb141.

There is a malicious js that ESET detects as JS/Agent.NYX and which caused blocking of the domain.

If you are sure that ESET is causing the issue, did you try temporarily uninstalling it so as not to blame the innocent?

First of all, we kindly ask you to not steal someone else's topic but instead create a new one next time. The Malware Finding and Cleaning forum is intended for queries like yours. To answer your question, the website appears to have been compromised. An administrator should clean it and take measures to prevent further re-infection.

I recall it's detected as a potentially unwanted application. Does temporarily pausing protection make a difference?

I would recommend contacting customer care and creating a support ticket so that the issue is properly tracked and investigated. They should provide you with a logging version of the Outlook plug-in and subsequently pass the logs to developers for perusal.

Leaving the users list empty in rule properties will cause the rule to be applied to all users.

Please gather all logs with ELC. The Detected threats log is empty. The sample that was used to create a detection was dropped by an InnoSetup installer so it's likely it was installed with some programs on your machine. You are right, ESET appears to be the only AV to detect it which is a good example of how well ESET protects users from threats that are missed also by AVs with 100% detection in tests.

Please report incorrectly blocked websites as per https://support.eset.com/kb141. It's possible that the website was compromised in the past and has been cleaned in the mean time.

Please post the appropriate records from the Detected threats log.

That would happen if a process accessed the web cam while the system is starting and the device control has not been fully initialized yet. The issue is being investigated and hope there could me more information available on this within the next few days. It also appears it has something to do with processes running in the local system account.

I'd suggest contacting your local customer care. After entering a license key no further user information is requested unless you activate a trial version.

Hello, There's no attempt to run chromesetup.exe logged in the logs you have provided. Please provide ELC logs.

My fault, I actually meant logging severity.

It depends. Some licenses may be locked down to a specific country.

This is beyond the scope of support here but you can find many guidelines on the Internet how to create one, e.g. at https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl, https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs and many others.

Changing the logging verbosity to warnings in rules that you want to have reported to ESMC when applied should do the trick.

Maybe a Procmon log with advanced logging enabled generated during an attempt to launch Chrome could shed more light. I assume that temporarily uninstalling ESET wouldn't make any difference,would it?

Agent 6.x can communicate with ECMS, however, agent v7 cannot communicate with ERA. After upgrading from ERA to ECMS, send an ECMS upgrade component task to machines to upgrade the agent.

If you have Windows 10 Enterprise, check AppLocker rules if you don't have one which would block a path or publisher: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules

I take liberty to correct you - it's Windows 10 October 2018 Update (aka RedStone 5). Versions 10.1 and newer fully support it.

Please submit the suspicious attachment (ideally the whole email in the eml or msg format) to samples@eset.com in an archive protected with the password "infected". If it's a new macro malware, using ESET Dynamic Threat Defense would likely improve the response and you'd get it detected quicker without waiting for the next engine module update.

If egui.exe was running and you were logged in at that time, you should have received a warning. If you would like more info on the detection, supply me with ELC logs that also include quarantined files (can be selected in the ELC list of artifacts to gather).

ACT.0 may be a temporary overload of activation servers, however, we haven't observed any issues with them recently. Please contact your local customer care.